US11496301B2ActiveUtilityA1

Publish/subscribe messaging

45
Assignee: IBMPriority: Feb 21, 2020Filed: Feb 21, 2020Granted: Nov 8, 2022
Est. expiryFeb 21, 2040(~13.6 yrs left)· nominal 20-yr term from priority
H04L 63/0435H04L 63/062H04L 67/55H04L 9/3263H04L 9/0819H04L 41/20H04L 51/23H04L 9/085H04L 63/065H04L 67/303H04W 12/041H04W 12/0433H04L 9/0891H04L 63/0823H04L 12/2859H04L 12/2874
45
PatentIndex Score
0
Cited by
25
References
23
Claims

Abstract

Some embodiments of the present invention comprise a method, system, and/or computer program product for a publish/subscribe messaging system. A processor identifies a subscriber of a pub/sub messaging system. The processor retrieves a stored encrypted key for the identified subscriber of the pub/sub messaging system. The processor communicates the retrieved encrypted key to a user selected from a group comprising a publisher of the pub/sub messaging system and the identified subscriber of the pub/sub messaging system. The processor implements end-to-end encryption of messages of the pub/sub messaging system based on key-groups.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method for a publish/subscribe (pub/sub) messaging system, the method comprising:
 identifying a subscriber of a pub/sub messaging system; 
 retrieving a stored encrypted key for the identified subscriber of the pub/sub messaging system; 
 communicating the retrieved encrypted key to a user of the pub/sub messaging system; 
 implementing end-to-end encryption of messages of the pub/sub messaging system based on key-groups, wherein implementing end-to-end encryption further comprises:
 negotiating a shared secret with the subscriber; and 
 generating an encrypted key for the subscriber, based on the shared secret; and 
 
 responsive to an un-subscription of a first subscriber of the pub/sub messaging system where the un-subscription did not cause a re-keying procedure:
 tracking certificates of ex-subscribers that un-subscribed since a most recent first re-keying procedure was undertaken; 
 determining that the first subscriber has become unauthorized; and 
 in response to determining that the first subscriber has become unauthorized, initiating a second re-keying procedure that is after the most recent first re-keying procedure was undertaken. 
 
 
     
     
       2. The method of  claim 1 , wherein implementing end-to-end encryption further comprises:
 storing the encrypted key for the subscriber of the pub/sub messaging system. 
 
     
     
       3. The method of  claim 1 , further comprising:
 identifying a key-group for a subscriber of the pub/sub messaging system based on a heuristic of the pub/sub messaging system. 
 
     
     
       4. The method of  claim 3 , wherein the heuristic of the pub/sub messaging system is based on a factor selected from the group consisting of a subscription persistence, a lifetime of an existing subscription, and a lifetime of a previous subscription. 
     
     
       5. The method of  claim 1 , further comprising:
 communicating with publishers and subscribers of the pub/sub messaging system; and subscribing to topics based on communications from the publishers and subscribers of the pub/sub messaging system. 
 
     
     
       6. The method of  claim 1 , further comprising:
 validating a certification chain of a publisher or subscriber of the pub/sub messaging system. 
 
     
     
       7. The method of  claim 1 , further comprising:
 notifying a publisher of the pub/sub messaging system that a subscriber of the pub/sub messaging system has not been supplied with new keys during a re-keying procedure. 
 
     
     
       8. A computer system for a publish/subscribe (pub/sub) messaging system, the computer system comprising:
 a processor set; and 
 one or more computer readable storage media; 
 wherein: the processor set is structured, located, connected and/or programmed to run program instructions collectively stored on the one or more computer readable storage media; and 
 the program instructions include instructions programmed to perform:
 identifying a subscriber of a pub/sub messaging system; 
 retrieving a stored encrypted key for the identified subscriber of the pub/sub messaging system; 
 communicating the retrieved encrypted key to a user of the pub/sub messaging system; 
 implementing end-to-end encryption of messages of the pub/sub messaging system based on key-groups, wherein implementing end-to-end encryption further comprises program instructions programmed to perform:
 negotiating a shared secret with the subscriber; and 
 generating an encrypted key for the subscriber, based on the shared secret; and 
 
 responsive to an un-subscription of a first subscriber of the pub/sub messaging system where the un-subscription did not cause a re-keying procedure:
 tracking certificates of ex-subscribers that un-subscribed since a most recent first re-keying procedure was undertaken; 
 determining that the first subscriber has become unauthorized; and 
 in response to determining that the first subscriber has become unauthorized, initiating a second re-keying procedure that is after the most recent first re-keying procedure was undertaken. 
 
 
 
     
     
       9. The computer system of  claim 8 , wherein implementing end-to-end encryption further comprises program instructions programmed to perform:
 storing the encrypted key for the subscriber of the pub/sub messaging system. 
 
     
     
       10. The computer system of  claim 8 , further comprising program instructions programmed to perform:
 identifying a key-group for a subscriber of the pub/sub messaging system based on a heuristic of the pub/sub messaging system. 
 
     
     
       11. The computer system of  claim 10 , wherein the heuristic of the pub/sub messaging system is based on a factor selected from the group consisting of a subscription persistence, a lifetime of an existing subscription, and a lifetime of a previous subscription. 
     
     
       12. The computer system of  claim 8 , further comprising program instructions programmed to perform:
 communicating with publishers and subscribers of the pub/sub messaging system; and 
 subscribing to topics based on communications from the publishers and subscribers of the pub/sub messaging system. 
 
     
     
       13. The computer system of  claim 8 , further comprising program instructions programmed to perform:
 validating a certification chain of a publisher or subscriber of the pub/sub messaging system. 
 
     
     
       14. The computer system of  claim 8 , further comprising program instructions programmed to perform:
 notifying a publisher of the pub/sub messaging system that a subscriber of the pub/sub messaging system has not been supplied with new keys during a re-keying procedure. 
 
     
     
       15. A computer program product for a publish/subscribe (pub/sub) messaging system, the computer program product comprising:
 one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions comprising instructions to perform:
 identifying a subscriber of a pub/sub messaging system; 
 retrieving a stored encrypted key for the identified subscriber of the pub/sub messaging system; 
 communicating the retrieved encrypted key to a user of the pub/sub messaging system; 
 implementing end-to-end encryption of messages of the pub/sub messaging system based on key-groups, wherein implementing end-to-end encryption of messages further comprises negotiating a shared secret with the subscriber; 
 generating an encrypted key for the subscriber, based on the shared secret; and 
 responsive to an un-subscription of a first subscriber of the pub/sub messaging system where the un-subscription did not cause a re-keying procedure:
 tracking certificates of ex-subscribers that un-subscribed since a most recent first re-keying procedure was undertaken; 
 determining that the first subscriber has become unauthorized; and 
 in response to determining that the first subscriber has become unauthorized, initiating a second re-keying procedure that is after the most recent first re-keying procedure was undertaken. 
 
 
 
     
     
       16. The computer program product of  claim 15 , wherein:
 the computer program product is a computer system; and 
 the computer program product further comprises a processor set structured and/or connected in data communication with the one or more computer readable storage media so that the processor set executes computer instructions collectively stored on the one or more computer readable storage media. 
 
     
     
       17. A computer-implemented method for a publish/subscribe (pub/sub) messaging system, the method comprising:
 identifying, by a middleware system, a subscriber of the pub/sub messaging system; 
 retrieving, by the middleware system, a stored encrypted key for the identified subscriber of the pub/sub messaging system; 
 communicating, by the middleware system, the retrieved encrypted key to a user of the pub/sub messaging system; 
 implementing, by the middleware system, end-to-end encryption of messages of the messaging system based on key-groups; 
 negotiating, by the middleware system, a shared secret with the subscriber; 
 generating, by the middleware system, an encrypted key for the subscriber based on the shared secret; and 
 responsive to an un-subscription of a first subscriber of the pub/sub messaging system where the un-subscription did not cause a re-keying procedure:
 tracking certificates of ex-subscribers that un-subscribed since a most recent first re-keying procedure was undertaken; 
 determining that the first subscriber has become unauthorized; and 
 in response to determining that the first subscriber has become unauthorized, initiating a second re-keying procedure that is after the most recent first re-keying procedure was undertaken. 
 
 
     
     
       18. The method of  claim 17 , further comprising:
 storing, by the middleware system, an encrypted key for the subscriber of the pub/sub messaging system. 
 
     
     
       19. The method of  claim 17 , further comprising:
 identifying, by the middleware system, a key-group for a subscriber of the pub/sub messaging system based on a heuristic of the pub/sub messaging system. 
 
     
     
       20. The method of  claim 19 , wherein the heuristic of the pub/sub messaging system is based on a factor selected from the group consisting of a subscription persistence, a lifetime of an existing subscription, and a lifetime of a previous subscription. 
     
     
       21. A computer-implemented method for a publish/subscribe (pub/sub) messaging system, the method comprising:
 identifying, by a key management system, a subscriber of the pub/sub messaging system; 
 retrieving, by the key management system, from a key storage component, an encrypted key for the identified subscriber of the pub/sub messaging system; 
 communicating, by the key management system, the retrieved encrypted key to a user of the pub/sub messaging system; 
 implementing, by the key management system, end-to-end encryption of messages of the messaging system based on key-groups; 
 negotiating, by the key management system, a shared secret with the subscriber; 
 generating, by the key management system, an encrypted key for the subscriber, based on the shared secret; and 
 responsive to an un-subscription of a first subscriber of the pub/sub messaging system where the un-subscription did not cause a re-keying procedure: 
 tracking certificates of ex-subscribers that un-subscribed since a most recent first re-keying procedure was undertaken; 
 determining that the first subscriber has become unauthorized; and 
 in response to determining that the first subscriber has become unauthorized, initiating a second re-keying procedure that is after the most recent first re-keying procedure was undertaken. 
 
     
     
       22. The method of  claim 21 , wherein implementing end-to-end encryption further comprises:
 storing, by the key management system, the encrypted key for the subscriber of the pub/sub messaging system. 
 
     
     
       23. The method of  claim 21 , further comprising:
 identifying, by the key management system, a key-group for a subscriber of the pub/sub messaging system based on a heuristic of the pub/sub messaging system, wherein the heuristic of the pub/sub messaging system is based on a factor selected from the group consisting of a subscription persistence, a lifetime of an existing subscription, and a lifetime of a previous subscription.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.